The Health Insurance Portability and Accountability Act, more commonly known as HIPAA, includes several provisions to allow people to report violations or suspected violations to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), including ways for these to be reported anonymously.

When should a suspected violation be reported?

Despite the best efforts of most HIPAA-covered entities, violations of HIPAA Rules can still occur. This may happen accidentally or deliberately through simple mistakes, poorly planned or implemented policies, or by disregarding rules. All violations should be reported to the OCR, even small ones, as they may be indicative of a larger problem that requires correction through training or better enforcement of correct procedures

Violations which are reported to the Department must be submitted within 180 days of the time of discovery of the violation in order for the OCR to take action. In very exceptional cases, violations reported after this limit may still be examined, but only if there is a sufficiently “good cause” for the report not being made within the normal delay.

It should be mentioned that potential violations of the HIPAA Privacy Rule that are thought to have taken place before 14 April 2003 or potential violations of the HIPAA Security Rule that are thought to have taken place before 20 April 2005 cannot be examined by the OCR as these Rules only came into force on the above mentioned dates.

Reporting a HIPAA violation anonymously

The OCR receives information or reports from people who suspect that a HIPAA-covered entity has violated HIPAA and they will then evaluate whether the report warrants further attention and investigation or not. Anyone can submit a complaint and this can even be done via a dedicated online portal, which also explains further how complaints can be made and how they are investigated.

The online portal does not, however, accept anonymous complaints. To submit an anonymous complaint, a form must be downloaded, filled out, and sent via email, post or fax to the OCR.

Anonymity and HIPAA complaints

While it is possible to submit complaints anonymously, the OCR will not investigate anonymous claims of misconduct. Therefore, it is vastly preferable to include a name and address when reporting a potential HIPAA violation. Legal protections exist to shield reporting parties from potential repercussions that the HIPAA-covered entity may try to exact. Retaliations that the HIPAA-covered entity may try to take should also be reported to the OCR.

Even with these protections, people may feel exposed or vulnerable by making a complaint. Often, it may involve reporting colleagues or their own employer for potentially illegal behaviour and fear of how they might react holds people back from making the report.

To overcome this, the OCR allows people to report violations using their name and address, but without authorizing the OCR to reveal their identity or any information that could be used to identify them. This means that an investigation could be instigated by OCR into the alleged violation but the identity of the person who made the complaint is not given to the covered entity.

In summary, HIPAA violations can be reported anonymously but these violations are not investigated. There are effective ways to report a violation without fear of identification or reprisals.